Win10XPE : Enable SSH Server with Public Key Authentication

Hello TenForums Friends,

I've been thinking about enabling SSH Server on WinPE for quite some time. I was pleasently surprised to see a thriving community for Win10XPE on this forum. So I took this opportunity to explore further.

Normally for a full fledged modern Windows 10, I would just enable the SSH Server feature. However, I could not do so for Win10XPE. Nor I could find any plugin. Maybe I didn't search hard enough. So I decided to give it a try myself. Let me see how far I can go, that was my approach. I am pleased to say that I could enable the SSH Server and successfully connect from a remote client using public key authentication.

I would like to share my experience and detailed instructions. If you are a developer or a hobbyist who likes tinkering around, this one is definitely for you. Of course, this is a funtime code and shouldn't be viewed as a professional production software.

For brevity, I call SSH Server feature as sshd. I used XPE version 2022-01-07 with Win10 Pro 20H2 x64 source for installing sshd. My host is Win10 Enterprise 22H2 x64.

So, here it goes :

0. Prerequisites and convention :

0.1
sshd runs on the top of an existing and functioning Win10XPE. I assume you are already familier with building and using it. Preferably use WinBuilder version released on 2022-01-07 and sourced in 64-bit Windows10 version 20H2.

0.2
I also assume you are familier with SSH and public key authentication technique. You will need a pair of public and private keys generated. Type ed25519 is supported. The command on ssh-client windows is :

ssh-keygen.exe -t ed25519 -f id_ed25519_win10xpe

This will create two files

id_ed25519_win10xpe.pub : This is the public key file. We will need it in step 3.2 below.
id_ed25519_win10xpe : This is the private key file. Keep it with you. Do not share this file. We use this file in step 7 below.

0.3
Convention :

%basedir% : This is the directory on building host where Win10XPE.exe is located. This is a buildtime host variable.
%WinDir% : This is a runtime Win10XPE Environment Variable. Usually it is 'X:\Windows'.
%programdata% : This is a runtime Win10XPE Environment Variable. Usually it is 'X:\ProgramData'.

1. Registry additions :

1.1
Create firewall rules file : Create a text file fw-rules-ssh.script. Paste from the source below :

// fw rules sshd
RegHiveLoad,Tmp_System,%RegSystem%
RegWrite,HKLM,0x1,Tmp_System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules,sshd-udpm,"v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=22|App=#$pWinDir#$p\system32\OpenSSH\sshd.exe|Name=OpenSSH Server (sshd) udp|Desc=Inbound UDP rule for OpenSSH SSH Server (sshd) over port 22.|EmbedCtxt=OpenSSH Server|"
RegWrite,HKLM,0x1,Tmp_System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules,sshd-tcpm,"v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=22|App=#$pWinDir#$p\system32\OpenSSH\sshd.exe|Name=OpenSSH Server (sshd) tcp|Desc=Inbound TCP rule for OpenSSH SSH Server (sshd) over port 22.|EmbedCtxt=OpenSSH Server|"
RegHiveUnLoad,Tmp_System


1.2
Add the created file : Now go to WinBuilder, open " Win10XPE --> Additions " panel and tick the 'run this script after' option and choose the above created file fw-rules-ssh.script. Press the little blue arrow button next to the select dialogue button so as to play the selected script. Please see the pic below :

2. Resources gathering :

2.1
OpenSSH package : Download OpenSSH zip file from : https://github.com/PowerShell/Win32-...nSSH-Win64.zip

The webpage is : GitHub - PowerShell/Win32-OpenSSH: Win32 port of OpenSSH

The zip file has only 1 top level folder named : OpenSSH-Win64. Extract this folder alongwith its contents to %basedir%\Custom\x64\AdditionalFiles\Windows\System32 . Rename the folder to OpenSSH.

2.2
Pecmd files : Create a folder pecmd-files in %basedir%\Custom\x64\AdditionalFiles\Windows\System32\OpenSSH. Create two files in the newly created folder. Paste the files's contents from :

file 1 : acl-ssh-tree.txt source below :

ssh
D:P(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)
ssh\administrators_authorized_keys
D:PAI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FR;;;LS)
ssh\sshd.pid
D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;AU)
ssh\sshd_config
D:(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;AU)
ssh\ssh_host_dsa_key
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_dsa_key.pub
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_ecdsa_key
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_ecdsa_key.pub
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_ed25519_key
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_ed25519_key.pub
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_rsa_key
D:P(A;;FA;;;BA)(A;;FA;;;SY)
ssh\ssh_host_rsa_key.pub
D:P(A;;FA;;;BA)(A;;FA;;;SY)

file 2 : pecmd-sshd.bat source below :

@echo off
mkdir.exe %programdata%\ssh\logs\
(
%WinDir%\system32\sc.exe create sshd binPath= "%WinDir%\system32\OpenSSH\sshd.exe" start= auto DisplayName= "OpenSSH Server for WinPE" obj= .\administrator password= ""
%WinDir%\system32\ntrights.exe -u administrator +r SeServiceLogonRight
%WinDir%\system32\OpenSSH\ssh-keygen.exe -A
%WinDir%\system32\icacls.exe %programdata% /restore %WinDir%\system32\OpenSSH\pecmd-files\acl-ssh-tree.txt /c
%WinDir%\system32\net.exe start sshd
) 1>> %programdata%\ssh\logs\pecmd-sshd.log 2>&1

2.3
ntrights : Download ntrights.zip from here : https://www.tenforums.com/attachment...a-ntrights.zip

Extract ntrights.exe from above zip file and save it to : %basedir%\Custom\x64\AdditionalFiles\Windows\System32

3. Configure OpenSSH files and folders :

3.1
Open %basedir%\Custom\x64\AdditionalFiles\Windows\System32\OpenSSH\sshd_config_default in a text editor such as notepad and save it as %basedir%\Custom\x64\AdditionalFiles\ProgramData\ssh\sshd_config . After saving continue editing the same file.

Please note that any line starting with # is a comment.

Locate the Logging section and add these two lines :

SyslogFacility LOCAL0
LogLevel DEBUG3

These log options will generate a verbose log useful for debugging ( if needed ). You may leave the old lines commented.

Similarly add this line to Authentication section :

AuthorizedKeysFile %programdata%\ssh\authorized_keys

You need to comment out the old line.

Now save and close the sshd_config file editing.

3.2
Now in a text editor (such as notepad ) open a new blank file named : %basedir%\Custom\x64\AdditionalFiles\ProgramData\ssh\administrators_authorized_keys

Paste the public key file id_ed25519_win10xpe.pub contents ( from step 0.2 ) into the new file, save it and close the editor.

4. Amend pecmd.ini :

Please open file %basedir%\Custom\Pecmdini\pecmd.ini in a text editor such as notepad. Please locate the line : CALL NetInit

After this add the following line :

%WinDir%\system32\OpenSSH\pecmd-files\pecmd-sshd.bat

Save and close the file.


5. Now all resources are in place. You may build the Win10XPE_x64.ISO by clicking the BigBlueButton.

6. When the build is complete, you may run the Win10XPE. Use a virtual machine or deploy it to a real machine. Boot the Win10XPE. Do not switch to administrator account. During the logon processes sshd will start automatically. You can check that in next step below.

7. Grab a remote ssh-client. Make sure you have the private key created in step 0.2 above available over there. Open a command prompt and type :

ssh.exe administrator@<ip address or hostname of the Win10XPE> -i id_ed25519_win10xpe

Now you are in Win10XPE's shell at X:\Windows

Enjoy !

Disclaimers :

1. This is a funcode exercise. Please do not use it as a production software.

2. ntrights.exe is an obsolete tool. But it works.

3. Security implications : There could be some. I do not know. Please use this facility at your risk.

Credits :

1. www.tenforums.com : I owe a ton of thanks to TenForums website for obvious reasons. I am using their forum to write this article.

2. Theoven.org : That's how I became interested in building WinPEs.

3. ChrisR : a.k.a. The Legend. His colossal efforts and acute insights made Win10XPE project live and running. The 'Quick Start Guide' he wrote is an extremely useful resource.

4. Kyhi : He is enthusiastically maintaining the project here : Win10XPE - Build Your Own Rescue Media [2]

His tips are indispensible.

5. I am thankful to Win10XPE community members such as APT38, Megahertz, SIW2, doudiii and many more for building a thriving community. That really triggered my sustained interest.

6. Last but not the least, it's me. Yes, I take all the credit for putting all the credits together ! ;-)

Hope you enjoyed my ride. Let me know your views.

Thank you!

-Gamma

You do realize that (when I understand and can follow the processes you used) this could be scripted for Win10XPE....
The "Quick Start Guide" was created by KYHI as were most of the Application Scripts...

Since this is the thread that got me started on OpenSSH in Win10XPE
I thought it appropriate to post here, thanks for the push.

I have a working OpenSSH_XPE.Script and I need some testers.
Please PM me.

Hello RoyM,

I built the xpe with your script. I am pleased to say that your script is working perfectly. But I had to disable the firewall. Then I could log in using password. The only thing missing was public key login.

I saw the log file and immediately spotted that the program was looking for the public key at X:\Windows\.ssh\authorized_keys. But the path did not exist. So it threw up an error and reverted to password login.

I created the missing folder and the file and pasted the public key. And the authentication was through. Yaay!

Later I found that the netsh advfirewall context is not available. That's the reason the firewall rules are not added.

A big thank you for your efforts.

-Gamma

Edit : fw context

If this is something you would to see as part of the project - please forward the script